Mobile's Impact on Hospital IT Security in 2013: How Your Institution Can Adapt to BYOD

The healthcare industry continues to experience a barrage of new regulatory requirements, and the widespread adoption of mobile technology is adding fuel to the fire. As hospitals and other healthcare enterprises adopt mobile solutions, the Bring Your Own Device trend is resulting in IT departments taking action to maintain stringent security measures and maintain compliance. In 2013, hospitals are going to require stronger, more comprehensive security measures surrounding the use of mHealth tools by clinicians and staff.

Accordingly to a recent survey of 130 hospitals by Aruba Networks, 85 percent of facilities support their physicians' and staff's use of personal devices at work. Hospital employees and clinicians may be checking their personal email accounts and their work email on the same device, reviewing electronic medical records, checking drug interaction information, using mobile secure file transfer apps to view lab results or radiology images and finding a babysitter for a night out. The convergence of work and personal life is more intertwined than ever, and these devices keep us tethered to the information we need and help us to juggle both.

The survey also revealed that of the facilities that support their physicians' and staff's use of personal devices at work, 83 percent specifically support the use of Apple iPads on the network. Today's smartphone and tablets make accessing email, news and social media sites easier than ever — while also faxing signature approvals on a treatment decision. The BYOD trend is helping healthcare practitioners be more accessible and connected. However, it also raises many questions about how hospitals can best integrate personal devices while still maintaining their existing security policies.

A majority of healthcare institutions will have to address BYOD in the coming year; smartphones and tablets are being adopted at such a high rate that hospitals are almost compelled to support them. Therefore, when a radiologist, a surgeon or an oncologist wants to use his or her device, IT sometimes has no choice but to both support it and secure it. In many circumstances, BYOD can be a net positive for hospitals as it promises quicker responsiveness, more accessibility to physicians and an overall improvement on patient care. However, IT staff responsible for healthcare security regulations now have a new and complex challenge to solve: supporting healthcare professionals who bring their own device into hospital setting while still maintaining the security and confidentiality of personal health information. Hospital IT staff know that it's not just a technical issue but that BYOD may also require healthcare regulation policies to change and for additional education to be provided to mobile users.

BYOD & HIPAA

The current Health Insurance Portability and Accountability Act regulations in place are among the primary policies that hospital IT staff needs to be aware of. HIPAA's key requirements were designed to ensure security at the point of dispatch, during transit and at delivery. The increasing scrutiny required today, including the demand for more privacy and regulatory requirements, are forcing healthcare organizations to create even more stringent policies. At odds with this is the increased porosity due to more connected and networked workplace environments. Physicians now have the ability to actively network on social media sites to share treatment suggestions and real-world evidence, for example, while still being in compliance with these increasingly strict healthcare regulations. Personal applications also pose risks; rogue applications installed by the clinician could potentially access PHI because the device is now tied to the hospital's network.

The main security challenge lies in the dual-use nature of mobile devices. A stolen or lost physician's laptop, on one hand, will probably already have security measures built in such as whole disk encryption and authentication requirements, but smartphones and tablets, especially personal devices, eschew these added layers of protection in favor of ease of use, simplicity and quick access.

One of the biggest new dangers of BYOD is the latest crop of Dropbox-style synchronization applications. By poking a hole in the institution's security fabric to synchronize files to mobile devices, the physician is potentially creating a new channel through which confidential patient information could leak. Many healthcare institutions have decided to shut off access to these synchronization tools until there's a way to manage them as hospital applications with centralized control, granular permissioning and integration with established authentication services.

So how can you prepare your healthcare organization to handle these additional security risks? What steps should you take to extend your current network security to cover these mHealth security holes?

Mobile devices are simply the latest vector to threaten hospital security, but here are remedies to these threats that will satisfy both IT groups and healthcare practitioners. The following 10-point list will help you think about the framework for a BYOD policy that can help you meet your HIPAA and PHI security requirements.

10 ways to meet BYOD security requirements

1. Review your current security policies for web applications (CRM, email, portals), VPN and remote access. Most, if not all, of these will apply to mobile devices as well.

2. Determine which devices you are willing to support — not all devices meet the security requirements of your healthcare organization, nor do you want to have to test all possible platforms. Also, physically inspect each device and make sure it hasn't been jailbroken or rooted.

3. Set expectations clearly. IT may have to radically change physicians' mindsets. Yes, security adds additional layers to wade through, but what havoc would a security breach cause?

4. Write clear and concise policies for all employees who want to use their personal devices. Have anyone participating in BYOD sign your terms of use. Those who choose not to follow your policies should not expect to use their device.

5. Make a personal identification number, or other client authentication, mandatory. This hampers ease of use, but is the first line of defense against a lost device.

6. Enforce encryption of data at rest; any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.

7. With hundreds of thousands of apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device? This can be hard to do, but malware and rogue apps can do serious damage without users realizing it.

8. Provide training to physicians and hospital staff to make sure they understand how to correctly use their applications, make the most of their mobile capabilities and watch for suspicious activity. Once you've embraced BYOD, promote it.

9. As mobile devices become conduits for information to flow, look for apps that include auditability, reporting and centralized management. Many current apps will not have this feature, but those that do will be easier to trace back any potential breaches.

10. Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability. Note that some MDM providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the MDM solution you pick.

As technology evolves, so will BYOD policies and practices. Just when you think you have covered all of your bases, a new "must-have" mHealth app demanded by your healthcare practitioners will break it — and you'll have to find ways to accommodate the app or simply block it. There's no single solution that will solve all the BYOD issues, but a combination of policies, education, best practices and third-party solutions can help mitigate the multiple security concerns. But by defining your overall goals and setting up guidelines and policies early, you can lay the foundation as well as provide the flexibility you need to meet your security requirements to keep up with changing trends.Bill Ho is the president of Biscom, a software company providing solutions for secure file transfer and fax solutions to enterprises. In addition to architecting and developing enterprise solutions, Mr. Ho has been speaking and writing about mobile and web technologies for the last 16 years. Mr. Ho received degrees in Computer Science from Stanford and Harvard.